+28

nixos/profiles/server.nix

··· 76 76 goatcounter-port = 3010; 77 77 goatcounter-hostname = "stats.wiro.world"; 78 78 79 79 + vaultwarden-port = 3011; 80 80 + vaultwarden-hostname = "vault.wiro.world"; 81 81 + 79 82 prometheus-port = 9001; 80 83 prometheus-node-exporter-port = 9002; 81 84 headscale-metrics-port = 9003; ··· 247 250 248 251 virtualHosts.${goatcounter-hostname}.extraConfig = '' 249 252 reverse_proxy http://localhost:${toString goatcounter-port} 253 253 + ''; 254 254 + 255 255 + virtualHosts.${vaultwarden-hostname}.extraConfig = '' 256 256 + reverse_proxy http://localhost:${toString vaultwarden-port} 250 257 ''; 251 258 }; 252 259 ··· 526 533 port = goatcounter-port; 527 534 proxy = true; 528 535 extraArgs = [ "-automigrate" ]; 536 536 + }; 537 537 + 538 538 + age.secrets.vaultwarden-env.file = ../../secrets/vaultwarden-env.age; 539 539 + services.vaultwarden = { 540 540 + enable = true; 541 541 + 542 542 + environmentFile = config.age.secrets.vaultwarden-env.path; 543 543 + config = { 544 544 + ROCKET_PORT = vaultwarden-port; 545 545 + DOMAIN = "https://${vaultwarden-hostname}"; 546 546 + SIGNUPS_ALLOWED = false; 547 547 + # ADMIN_TOKEN = ...; # Via secret env 548 548 + 549 549 + SMTP_HOST = "smtp.resend.com"; 550 550 + SMTP_PORT = 2465; 551 551 + SMTP_SECURITY = "force_tls"; 552 552 + SMTP_USERNAME = "resend"; 553 553 + # SMTP_PASSWORD = ...; # Via secret env 554 554 + SMTP_FROM = "bitwarden@wiro.world"; 555 555 + SMTP_FROM_NAME = "Bitwarden wiro.world"; 556 556 + }; 529 557 }; 530 558 }; 531 559 }

+2

secrets/secrets.nix

··· 29 29 "authelia-ldap-password.age".publicKeys = deploy; 30 30 "authelia-smtp-password.age".publicKeys = deploy; 31 31 "tuwunel-registration-tokens.age".publicKeys = deploy; 32 32 + # Defines `ADMIN_TOKEN`, `SMTP_PASSWORD` 33 33 + "vaultwarden-env.age".publicKeys = deploy; 32 34 33 35 # Not used in config but useful 34 36 "pgp-ca5e.age".publicKeys = users;

secrets/vaultwarden-env.age

This is a binary file and will not be displayed.